#appsec — Public Fediverse posts

While we're happy for our prize and that our exploit targeting OpenAI's Codex in the Coding Agent category was successful at #PWN2OWN, this was a collision💥 as the bug was previously known to the vendor. Back to the research! #P2OBerlin

#doyensec #appsec #security #ai #openai

I wrote up how I think AppSec teams can adapt to and benefit from agentic engineering and its effects on the SDLC: Move from detection to mitigation. Become engineers, not gatekeepers. Partner with SRE and platform engineering.

https://www.janbrennenstuhl.eu/appsec-agentic-engineering/

#sdlc #appsec #agenticengineering

I wrote up how I think AppSec teams can adapt to and benefit from agentic engineering and its effects on the SDLC: Move from detection to mitigation. Become engineers, not gatekeepers. Partner with SRE and platform engineering.

https://www.janbrennenstuhl.eu/appsec-agentic-engineering/

#sdlc #appsec #agenticengineering

I wrote up how I think AppSec teams can adapt to and benefit from agentic engineering and its effects on the SDLC: Move from detection to mitigation. Become engineers, not gatekeepers. Partner with SRE and platform engineering.

https://www.janbrennenstuhl.eu/appsec-agentic-engineering/

#sdlc #appsec #agenticengineering

I wrote up how I think AppSec teams can adapt to and benefit from agentic engineering and its effects on the SDLC: Move from detection to mitigation. Become engineers, not gatekeepers. Partner with SRE and platform engineering.

https://www.janbrennenstuhl.eu/appsec-agentic-engineering/

#sdlc #appsec #agenticengineering

‪OWASP Ottawa‬
‪@owaspottawa.bsky.social‬
· 2m
🚨 OWASP Ottawa May 2026 Meetup - with Jainil Malaviya and Kira Evans

Kira will speak about the power of volunteering, building connections, and taking action with the Ada Sisterhood.

Jainil Malaviya how a malware analyst would approach the self-replicating worm called Shai-Hulud

📍 Location: 150 Louis-Pasteur Private, University of Ottawa, Room 117
📅 Date: May 20, 2026
⏰ Time: 6:00 PM EST - Arrival, networking, & pizza! 🍕
6:30 PM EST - Technical Talks

#OWASP #Ottawa #Cybersecurity #Malware #InfoSec #AppSec #Tech

How can you measure security in #ML systems? Maybe similarly to the way we measure security in software systems. #swsec #appsec

BIML wrote about this in a new report released today: https://berryvilleiml.com/results/

Get your copy now, released for free under a creative commons license.

Applied #MLsec

How can you measure security in #ML systems? Maybe similarly to the way we measure security in software systems. #swsec #appsec

BIML wrote about this in a new report released today: https://berryvilleiml.com/results/

Get your copy now, released for free under a creative commons license.

Applied #MLsec

The excellent @dennisf interviews me about BIML's new paper "No Security Meter for AI"

Have a listen. Then read our report.

#MLsec #ML #AI #security #infosec #swsec #appsec

https://open.spotify.com/episode/74QW2kzelVz5VtglXlA87s?si=ll7a2xo0Rx2FSmyq-_8-HQ

https://berryvilleiml.com/results/no-security-meter-ai.pdf

If you're attending #PWN2OWN, be sure to watch Doyensec's Leonardo Giovannini demonstrate his #OpenAI Codex 0day exploit live Thursday, May 14 at 15:30.

If you can't make it in person, keep an eye on https://blog.doyensec.com/ for more great #ai security research like this - coming very soon!

See the PWN2OWN schedule here: https://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

#appsec #doyensec #ai #0day #exploit

If you're attending #PWN2OWN, be sure to watch Doyensec's Leonardo Giovannini demonstrate his #OpenAI Codex 0day exploit live Thursday, May 14 at 15:30.

If you can't make it in person, keep an eye on https://blog.doyensec.com/ for more great #ai security research like this - coming very soon!

See the PWN2OWN schedule here: https://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

#appsec #doyensec #ai #0day #exploit

If you're attending #PWN2OWN, be sure to watch Doyensec's Leonardo Giovannini demonstrate his #OpenAI Codex 0day exploit live Thursday, May 14 at 15:30.

If you can't make it in person, keep an eye on https://blog.doyensec.com/ for more great #ai security research like this - coming very soon!

See the PWN2OWN schedule here: https://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

#appsec #doyensec #ai #0day #exploit

If you're attending #PWN2OWN, be sure to watch Doyensec's Leonardo Giovannini demonstrate his #OpenAI Codex 0day exploit live Thursday, May 14 at 15:30.

If you can't make it in person, keep an eye on https://blog.doyensec.com/ for more great #ai security research like this - coming very soon!

See the PWN2OWN schedule here: https://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

#appsec #doyensec #ai #0day #exploit

If you're attending #PWN2OWN, be sure to watch Doyensec's Leonardo Giovannini demonstrate his #OpenAI Codex 0day exploit live Thursday, May 14 at 15:30.

If you can't make it in person, keep an eye on https://blog.doyensec.com/ for more great #ai security research like this - coming very soon!

See the PWN2OWN schedule here: https://www.zerodayinitiative.com/blog/2026/5/13/pwn2own-berlin-2026-the-full-schedule

#appsec #doyensec #ai #0day #exploit

BIML is proud to release a new study today:
No Security Meter for AI

#AI #ML #MLsec #security #infosec #swsec #appsec #LLM #AgenticAI

https://berryvilleiml.com/results/no-security-meter-ai.pdf

BIML is proud to release a new study today:
No Security Meter for AI

#AI #ML #MLsec #security #infosec #swsec #appsec #LLM #AgenticAI

https://berryvilleiml.com/results/no-security-meter-ai.pdf

@danielkennedy74 BIML is proud to release a new study today:

No Security Meter for AI

#AI #ML #MLsec #security #infosec #swsec #appsec #LLM #AgenticAI

https://berryvilleiml.com/results/no-security-meter-ai.pdf

BIML is proud to release a new study today:
No Security Meter for AI

#AI #ML #MLsec #security #infosec #swsec #appsec #LLM #AgenticAI

https://berryvilleiml.com/results/no-security-meter-ai.pdf

AI-assisted development is compressing build cycles and expanding attack surface at the same time. More code, shipped faster, with less time for security review.

XBOW runs continuous, exploit-validated offensive security testing built for exactly this environment.

That's why we're so proud to have them as Platinum Sponsor of AppSec Village 2026!

Check out what they do ⬇️
https://buff.ly/FJzfqkv

#sponsorshoutout #platinumsponsor #thankyou #appsec

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised
#CyberSecurity #InfoSec #SupplyChainSecurity #SoftwareSupplyChain #NPM #OpenSourceSecurity #AppSec #DevSecOps #ThreatIntel #Malware #JavaScript #NodeJS #CICD #GitHubActions #CloudSecurity #TypeScript #ReactJS #WebDev #OpenSource #DevTools #SoftwareEngineering #DeveloperSecurity #SecureCoding #GitHub #SupplyChainAttack #Programming #TechNews #DevOps #ApplicationSecurity #ThreatResearch #SecurityEngineering #CyberAttack #Hackers #MalwareAlert #SecurityResearch #DevCommunity

More on the mythos "too dangerous to release" controversy...with a quote from me! (gift article)

As always, very good reporting on a complicated issue by @cademetz

#ML #AI #mythos #swsec #appsec #MLsec

https://www.nytimes.com/2026/05/12/technology/anthropic-claude-mythos.html?unlocked_article_code=1.h1A.aXHQ.35ofMK-FbSLN&smid=nytcore-android-share

Lots of truth here. Mythos myths and realities. #MLsec #ML #AI #security #swsec #appsec

https://www.theregister.com/security/2026/05/11/anthropics-bug-hunting-mythos-was-greatest-marketing-stunt-ever-says-curl-creator/5238111

SAST scanner with AI: Permissions are missing in your app manifest. Please add the android:readPermission and android:writePermission permissions settings. Exported = "false" isn't enough; someone could accidentally change it! #ai #sast #appsec #security

SAST scanner with AI: Permissions are missing in your app manifest. Please add the android:readPermission and android:writePermission permissions settings. Exported = "false" isn't enough; someone could accidentally change it! #ai #sast #appsec #security

SAST scanner with AI: Permissions are missing in your app manifest. Please add the android:readPermission and android:writePermission permissions settings. Exported = "false" isn't enough; someone could accidentally change it! #ai #sast #appsec #security

SAST scanner with AI: Permissions are missing in your app manifest. Please add the android:readPermission and android:writePermission permissions settings. Exported = "false" isn't enough; someone could accidentally change it! #ai #sast #appsec #security

SAST scanner with AI: Permissions are missing in your app manifest. Please add the android:readPermission and android:writePermission permissions settings. Exported = "false" isn't enough; someone could accidentally change it! #ai #sast #appsec #security

NIST’s selective NVD enrichment is a big wake-up call for AppSec teams: more CVEs, less context, and more manual triage ahead. https://jpmellojr.blogspot.com/2026/05/selective-nvd-enrichment-why-nists.html #NVD #CVE #NIST #AppSec

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/4hpg2D

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

ASOC на коленке: как я навайбкодил замену DefectDojo для своих задач с обогащением из БДУ ФСТЭК

Когда я начал разбираться, чем в open source можно закрыть задачу ASOC / Vulnerability Management, выбор оказался довольно грустным. По сути единственный известный вариант это DefectDojo. Сам я его в production не тащил, но от коллег регулярно слышал одну и ту же боль: на больших объёмах findings он начинает захлёбываться, в UI быстро не хочется заходить, а аналогов с человеческим интерфейсом и БДУ ФСТЭК «из коробки» в open source я просто не нашёл. Так и появилась моя ASOC-платформа: Go + PostgreSQL + Redis Streams + React, развёртывание одной командой docker compose up , миллион findings без тормозов (почти), обогащение из 7 источников, формула приоритизации, которая учитывает не только CVSS, но ещё EPSS, CISA KEV и БДУ ФСТЭК. В статье расскажу про архитектурные решения, грабли и почему я выкинул ORM ещё до первой строчки SQL. Это не статья про готовый коммерческий продукт и не пиар-релиз. Скорее разбор того, как и почему был спроектирован Red Lycoris , open source платформа для централизованного хранения, дедупликации, обогащения и приоритизации уязвимостей. Я делаю её один, и если кому-то она пригодится, буду только рад. Если найдёте, где я ошибся в архитектуре, буду рад вдвойне.

https://habr.com/ru/articles/1033530/

#ASOC #AppSec #DevSecOps #DefectDojo #vulnerability_management #БДУ_ФСТЭК #onpremise #airgapped #Go #PostgreSQL

A huge thank you to Chainguard for their support of AppSec Village as a Gold Sponsor this year.

The work they're doing to secure the software supply chain matters - and we're glad to have them in the village! 💙

Find out more: https://images.chainguard.dev/?utm_medium=event&utm_source=AppSec&utm_campaign=FY27-AMER-STE-RSA2026-AppSec%20Village

#sponsorship #sponsorshoutout #goldsponsor #appsec

The software supply chain is the new invisible perimeter. With threat actors targeting CI/CD pipelines, understanding CWE-1395 is critical for #DevSecOps professionals. Check out our deep dive into supply chain vulnerabilities and SBOMs. https://cvedatabase.com/blog/the-invisible-perimeter-navigating-the-risks-of-software-supply-chain-vulnerabil-2026-05-04 #AppSec #CyberSecurity #SBOM #CWE1395

The software supply chain is the new invisible perimeter. With threat actors targeting CI/CD pipelines, understanding CWE-1395 is critical for #DevSecOps professionals. Check out our deep dive into supply chain vulnerabilities and SBOMs. https://cvedatabase.com/blog/the-invisible-perimeter-navigating-the-risks-of-software-supply-chain-vulnerabil-2026-05-04 #AppSec #CyberSecurity #SBOM #CWE1395

https://www.europesays.com/ie/467202/ Cloudflare warns of AI code review prompt injection #AIEthics&Governance #AISafety #AiSecurity #APISecurity #ApplicationSecurity #AppSec #ArtificialIntelligence(AI) #CloudSecurity #Cloudflare #Cybersecurity #DevSecOps #Éire #IE #Ireland #javascript #LargeLanguageModels(LLMs) #MachineLearning(ML) #RedTeaming #RiskManagement #SourceCode #SupplyChainSecurity #Technology #ThreatIntelligence #VirtualPrivateNetworks(VPNs)

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/4hpWKl

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

New by me: Vibe Coding Has a Security Problem, and Shipping Code You Do Not Understand Is Not a Strategy

AI-assisted coding can absolutely help teams move faster. It can also help them ship weak access controls, insecure defaults, risky dependencies, and code nobody on the team can confidently defend.

I wrote about why that matters and why review still matters just as much as speed.

https://www.kylereddoch.me/blog/vibe-coding-has-a-security-problem-and-shipping-code-you-do-not-understand-is-not-a-strategy/

#Cybersecurity #AppSec #AI #SecureCoding

Do it today, please. Tell your team. Watch the full 60 seconds.

Video link: https://twp.ai/E5Aq2o

#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm
2/2

🚨 Emergency DevSec Station drop.
There's an active npm supply chain attack happening right now. Compromised packages are stealing SSH keys, AWS credentials, GitHub tokens, browser passwords, and crypto wallets on install. Then using your publish token to infect every package you maintain.
One command can protect you immediately: npm config set ignore-scripts true
Do it today, please. Tell your team. Watch the full 60 seconds.
#AppSec #SupplyChainSecurity #DevSecOps #SecureCoding #npm

🚨 CRITICAL: OpenAEV-Platform (<2.0.13) uses non-expiring, 8-digit password reset tokens. Unauthenticated attackers can take over any account — including admins. Upgrade to 2.0.13 ASAP. CVE-2026-24467 https://radar.offseq.com/threat/cve-2026-24467-cwe-640-weak-password-recovery-mech-f6c2c6a1 #OffSeq #Vuln #AppSec #PasswordSecurity

🚨 CRITICAL: OpenAEV-Platform (<2.0.13) uses non-expiring, 8-digit password reset tokens. Unauthenticated attackers can take over any account — including admins. Upgrade to 2.0.13 ASAP. CVE-2026-24467 https://radar.offseq.com/threat/cve-2026-24467-cwe-640-weak-password-recovery-mech-f6c2c6a1 #OffSeq #Vuln #AppSec #PasswordSecurity

🚨 CRITICAL: OpenAEV-Platform (<2.0.13) uses non-expiring, 8-digit password reset tokens. Unauthenticated attackers can take over any account — including admins. Upgrade to 2.0.13 ASAP. CVE-2026-24467 https://radar.offseq.com/threat/cve-2026-24467-cwe-640-weak-password-recovery-mech-f6c2c6a1 #OffSeq #Vuln #AppSec #PasswordSecurity

🚨 CRITICAL: OpenAEV-Platform (<2.0.13) uses non-expiring, 8-digit password reset tokens. Unauthenticated attackers can take over any account — including admins. Upgrade to 2.0.13 ASAP. CVE-2026-24467 https://radar.offseq.com/threat/cve-2026-24467-cwe-640-weak-password-recovery-mech-f6c2c6a1 #OffSeq #Vuln #AppSec #PasswordSecurity

NoSQL Injection Attacks: MongoDB, CouchDB, and More – NoSQL injection

In this article, I cover how NoSQL injection works, common attack vectors, and practical mitigation techniques.
https://denizhalil.com/2025/12/23/nosql-injection-attacks-mongodb-couchdb/

#CyberSecurity #NoSQL #MongoDB #CouchDB #WebSecurity #AppSec #Injection #InfoSec #Pentesting #RedTeam #BlueTeam #securecoding

The security implications of "Tokenmaxxing" cannot be ignored. As code churn increases by 800%+, the window for technical debt - and potential vulnerabilities - widens. If 10-30% of AI code is being rewritten within weeks, what does that say about the initial security audit of that code?

Source: https://techcrunch.com/2026/04/17/tokenmaxxing-is-making-developers-less-productive-than-they-think/

Are you seeing more insecure patterns creeping into codebases via AI agents? Let’s discuss the risk-to-reward ratio of AI-accelerated development. Follow us for more technical analysis of the AI landscape.

#InfoSec #AppSec #CyberSecurity #SecureCoding #DevSecOps #Technadu

The pentest professionals at #usdHeroLab identified a vulnerability in #EntraID during a cloud #pentest that allows the circumvention of conditional access policies for privileged identities.

Two additional vulnerabilities were identified during a web application pentest of #Tenable Nessus Manager, which allow low-privileged users to read arbitrary files at the operating system level.

All #vulnerabilities were reported to the vendors as part of our Responsible Disclosure policy.

🔎 You can find detailed information on the #SecurityAdvisories here: https://www.usd.de/en/security-advisories-entra-id-tenable-nessus-manager/

#SecurityResearch #SecurityAdvisory #moresecurity #NessusManager #Pentesting #Hacking #CVE_2026_3493 #AppSec #InfoSec #CyberSecurity

Hello AppSec community!

Our preparations for German #OWASP Day 2026 (GOD) are in full swing. As some of you may have noticed, the website is already live (and kicking): https://god.owasp.de/

This year’s GOD will take place on September 24, 2026, in Karlsruhe. It's a one-day conference with two tracks. We will once again be offering community training sessions on the day before, i.e. the 23rd of September. That evening will -- as usual -- feature networking and professional discussions in a relaxed atmosphere with food and beverages.

We recently opened the call for community trainings. They were extremely well-received last year, and we’d like to build on that success this year.

So if you have a topic you’d like to present in a half-day session, check out the Call for Community Trainings (CfT): https://lnkd.in/edAnfmZ4 . It's planned to stay open until April 12, 2026. If you happen to know someone who's good explaining a relevant topic (see CfT) to a small group of people, feel free to forward the pointer to the CfT.

The Call for Presentations will open next week.

#AppSec #infosec #Security #SDLC #AI #LLM #CISO